Privacy Policy
Staff Arts · Last updated: [INSERT DATE]
This Privacy Policy explains how Qup DA(organisation number 912 372 022), a company registered in Norway ("we", "us", "Qup DA"), collects and processes personal data when you use the Staff Arts mobile application (the "App"). Qup DA is the data controller for the personal data described here.
We are committed to protecting your privacy and processing your personal data in accordance with the EU General Data Protection Regulation (GDPR) and the Norwegian Personal Data Act.
1. What the App is
Staff Arts is a marketplace where artists can list artworks and events, and where users can browse listings and send private messages to one another. The App does not process payments; any sale or transaction is arranged directly between users outside the App.
2. Personal data we collect
We collect only the data needed to provide the App's features:
| Data | Purpose | Legal basis (GDPR Art. 6) |
|---|---|---|
| Email address | Account creation, login, security codes, and essential service communication | Performance of a contract (6(1)(b)) |
| PIN (stored only as a one-way bcrypt hash — never in plain text) | Authenticating your login | Performance of a contract (6(1)(b)) |
| Display name | Identifying you to other users on listings and in messages | Performance of a contract (6(1)(b)) |
| Profile image and bio (optional) | Your public profile, if you choose to add them | Consent (6(1)(a)) |
| Language preference | Showing the App in your chosen language | Legitimate interest (6(1)(f)) |
| Artwork and event listings, including images you upload | Displaying your listings in the marketplace | Performance of a contract (6(1)(b)) |
| Messages you send to other users | Delivering and storing your conversations | Performance of a contract (6(1)(b)) |
| Limited technical data (e.g. timestamps of activity) | Operating, securing, and debugging the service | Legitimate interest (6(1)(f)) |
We do not collect special categories of personal data, we do not run advertising, and we do not sell your personal data to anyone.
3. Messages between users
Staff Arts lets you exchange private messages with other users. Message content is stored on our servers so it can be delivered and shown in your conversation history. Messages are not end-to-end encrypted. Please do not share sensitive personal or financial information through the messaging feature. You are responsible for the content you send.
4. Who processes your data (sub-processors)
We use a small number of trusted service providers to operate the App. They process data only on our instructions:
- MongoDB — database hosting for accounts, listings, and messages.
- Cloudinary — storage and delivery of images you upload.
- DigitalOcean — hosting of our application servers.
Some of these providers may process data outside the European Economic Area (EEA). Where that happens, the transfer is protected by appropriate safeguards such as the European Commission's Standard Contractual Clauses.
5. How long we keep your data
We keep your personal data for as long as your account is active. When you delete your account, we delete or irreversibly anonymise your personal data, including your listings and messages, except where we are legally required to retain certain information for a limited period. Backups are overwritten on a routine cycle.
6. Your rights under the GDPR
You have the right to:
- access the personal data we hold about you;
- correct inaccurate or incomplete data;
- delete your data ("right to be forgotten");
- restrict or object to certain processing;
- receive your data in a portable format;
- withdraw consent at any time, where processing is based on consent.
You can delete your account and associated data directly in the App under Settings. To exercise any other right, email privacy@qupda.com. You also have the right to lodge a complaint with the Norwegian Data Protection Authority (Datatilsynet) at www.datatilsynet.no.
7. Security
We use industry-standard measures to protect your data, including transport encryption (HTTPS), hashing of PINs, and access controls. No system is completely secure, but we take reasonable steps to protect your information.
8. Children
The App is not intended for children under the age of 16. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, contact us and we will delete it.
9. Changes to this policy
We may update this policy from time to time. We will post the updated version here and revise the "Last updated" date. Significant changes will be communicated in the App where appropriate.
10. Contact
Qup DA
Organisation number: 912 372 022
Norway
Privacy enquiries: privacy@qupda.com
General support: support@qupda.com